Down the Security Rabbithole, The BlogThis is a collection of my thoughts and ideas, and anything expressed here is unrelated to anything in real life and does not represent opinions of clients, employers or colleagues. If it feels a little bit like stream-of-consciousness, it probably is.

Monday, April 20, 2009

Hackers are Opportunists

Over the years we've all seen the arguments over which operating system is "better" or for the purposes of this blog, more secure. In the end, I've always contended that any OS can be mis-configured equally poorly and each of the relevant, modern operating platforms has their positives and negatives. Whereas Microsoft's Windows platform tends to cater to the less technically intensive administrators, Linux covers those who need ultimate flexibility and aren't afraid to write their own code when the need comes, and the various UNIX platforms cater to more advanced administrators who don't need the GUI to control their OS. Those are given, accepted arguments that don't need to be re-defined.

At the desktop, the debate of late has been which OS is more secure in spite of the user sitting at the controls. While Apple has launched an entire campaign aimed at making Microsoft's Vista OS look inept, insecure, and crash-prone... and quite frankly "no fun" they have quietly misled the audience. Apple's message, snuck into the latter series of the commercials, has been "Macs don't get viruses or malware"... yet they continue to advise their users to purchase and use anti-virus applications.

Are Mac computers secure?

Yes. While no computer connected to the Internet is 100 percent immune to viruses and spyware, the Mac is built on a solid UNIX foundation and designed with security in mind. The Mac web browser, Safari, alerts you whenever you’re downloading an application — even if it’s disguised as a picture or movie file. And Apple continually makes free security updates available for Mac owners. You can even have them download automatically.

Fairly interesting, there is no mention of needing anti-malware software anywhere... Even more interesting is this link from SC Magazine which takes note of the quiet release from Apple telling users to start using Anti-Malware software on their Macs... even more interesting is the fact that the alert issued apparently doesn't exist anymore (it was pulled, or changed, or....?).

Now it looks like there is even a new trojan hidden inside some Mac software (warez) downloads from the pirate Internet which creates a Mac botnet! While reports of how effective this botnet and trojan really was has been debated - quite frankly it's immaterial. The fact is, Macs are now a taret too. The Macintosh has become a victim of its own success, much like the PC was years and years ago. Apple's brilliant marketing blitz coupled with users' backlash against Windows operating-systems issues has propelled Macs to the height of popularity - of course this means new Mac owners and thus more Macs out there to exploit and use.

Hackers are opportunists, I hope that's no revalation. The goal of a hacker is to exploit a system to achieve some end, usually that end is to make money. If I'm a writer of malicious code (or other malware) I want to tough the largest audience possible with my piece of software - therefore I will go after the largest market-share of operating systems. This clear example illustrates why Windows users have been the taret for such an overwhelmingly large percentage of malware over the years... simple economics.

Now that Macs have become more popular we're starting to see an huge influx of clueless Mac users, much like the PC experienced years and years ago. Naturally, this means that more malicious software will start to flood the dark corners of the Internet as user volumes increase for the Mac.

Stay vigilant... it doesn't matter what OS you're using, what browser you're using and how natively secure you were told your operating system is... you're going to be a target at some point. There is no such thing as effortlessly secure, the fact is that whether you're using a Mac, a Windows OS, or something else - you're still going to be a victim if you're ignorant.

2 comments:

You also have your story quite backwards. For year and years the clueless have used macs, the interesting new influx is not more clueless users but that just about every security guy you see today has a mac in their hand. As the Mac becomes the platform for hackers, it's inevitable that some of them will turn their attention to the platform itself.

I also think that the opportunity cost plays a big part, I don't have time to do the research but I bet you could draw a correlation between the % of hacking and the avg cost (or availability of free access) people have to computing resources. In other words, as macs have declined in price (I can now get one for 500 bucks new, less if used) so has the amount of security attention.

Last but not least, can you dial down the FUD a little please, I'm sick of reading blog postings that tell me I should be scared to walk down the street without offering some advice beyond "Stay vigilant!" Seriously man, I know you can do better than that!

@Erik: Wow. I can see your parallel between Macs getting cheaper and more attacks being done on them; but consider that determined hackers (like those who build large, crime-syndicate-ready botnets) have plenty of resources and a higher cost of acquisition isn't going to deter them. I realize a lot of security folks these days have flocked to Macs, and it's likely that the underlying framework of the OS is more suited to their work (MacOS now has a shell prompt!).

I would count you as a minority in the "we already know this" category since there are still ads that run from Apple trying to convince people that Macs are somehow natively more resilient to malware (which isn't true at all)... and the masses will see and believe that. These are all marketing ploys and sales tactics which people fall for, after all.

About Me

Technology is pushing us along and becoming pervasive in our lives orders of magnitude faster than we can fully comprehend the ramifications of these changes.

Technology promises to change our lives, but at what price? The more heavily our daily lives rely on technology the greater the impact of a breach or a malicious attack. Our toasters can't kill us ... yet, but I suspect the day is coming.

As someone who has been involved in the defensive enterprise side of security for well over a decade, I emplore you to join me and focus our efforts on building better, more resilient systems which can not only support and enrich our lives, but also stand up to misuse and attack better.

Remember, prevention is a myth the snakeoil sales man sells. Real security comes from the ability to detect, respond, and resolve critical issues in a meaningful way.